I am still stymied trying to test NTPsec with self-signed certs. Still getting "unknown ca" on the server. I would appreciate any assistance in this effort. With thanks, Rich Schmidt
I ran this on server "pluto" and on client "ptp": # Set up self-signed certificates server=$1 # pluto or ptp #create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt # # Generate private certificate # openssl genrsa -out $server.key 4096 # # Create public certificate by signing with our CA # # Generate certificate signing request openssl req -new -key $server.key -out $server.csr # # Create public certificate by signing with our CA openssl x509 -req -days 365 -in $server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out $server.crt # cat ca.crt $server.crt > nts.crt cat ca.key $server.key > nts.key ------------------------------------------------- Server "pluto" ntp.conf: nts enable ca /var/lib/ntp/certs/ nts key /var/lib/ntp/certs/nts.key nts cert /var/lib/ntp/certs/nts.crt nts cookie /var/lib/ntp/nts-keys --------------------------------------------- Server "pluto" log: 2020-05-07T16:23:51 ntpd[27974]: INIT: OpenSSL 1.0.2k-fips 26 Jan 2017, 100020bf 2020-05-07T16:23:51 ntpd[27974]: NTSs: starting NTS-KE server listening on port 123 2020-05-07T16:23:51 ntpd[27974]: NTSs: loaded certificate (chain) from /var/lib/ntp/certs/nts.crt 2020-05-07T16:23:51 ntpd[27974]: NTSs: loaded private key from /var/lib/ntp/certs/nts.key 2020-05-07T16:23:51 ntpd[27974]: NTSs: Private Key OK 2020-05-07T16:23:51 ntpd[27974]: NTSs: listen4 worked 2020-05-07T16:23:51 ntpd[27974]: NTSs: listen6 worked 2020-05-07T16:23:51 ntpd[27974]: NTSc: Using dir /var/lib/ntp/certs/ for root certificates. 2020-05-07T16:24:58 ntpd[27974]: NTSs: TCP accept-ed from 10.0.0.175:43498 2020-05-07T16:24:58 ntpd[27974]: NTSs: SSL accept from 10.0.0.175:43498 failed, 0.004 sec 2020-05-07T16:24:58 ntpd[27974]: NTS: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca ----------------------------------------------- Client "ptp" ntp.conf: server pluto nts ca /var/lib/ntp/certs/ ------------------------------------------------ Client "ptp" log: 2020-05-07T16:31:11 ntpd[31511]: INIT: OpenSSL 1.0.2k-fips 26 Jan 2017, 100020bf 2020-05-07T16:31:11 ntpd[31511]: NTSc: Using system default root certificates. 2020-05-07T16:31:12 ntpd[31511]: DNS: dns_probe: pluto, cast_flags:1, flags:21801 2020-05-07T16:31:12 ntpd[31511]: NTSc: DNS lookup of pluto took 0.000 sec 2020-05-07T16:31:12 ntpd[31511]: NTSc: nts_probe connecting to pluto:123 => 10.0.0.200:123 2020-05-07T16:31:12 ntpd[31511]: NTSc: Using dir /var/lib/ntp/certs/ for root certificates. 2020-05-07T16:31:12 ntpd[31511]: NTSc: SSL_connect failed 2020-05-07T16:31:12 ntpd[31511]: NTS: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed 2020-05-07T16:31:12 ntpd[31511]: NTSc: NTS-KE req to pluto took 0.013 sec, fail ----------------------------------------------- On server: cat nts.crt | openssl verify stdin: C = US, ST = DC, L = Washington, O = RE Schmidt, CN = pluto error 18 at 0 depth lookup:self signed certificate OK ------------------------------------------------ On client: cat nts.crt | openssl verify stdin: C = US, ST = DC, L = Washington, O = RE Schmidt, CN = ptp error 18 at 0 depth lookup:self signed certificate OK -- “The ideal subject of totalitarian rule is not the convinced Nazi or the convinced communist, but people for whom the distinction between fact and fiction . . . and the distinction between true and false . . . no longer exist.” —Hanna Arendt, “The Origins of Totalitarianism” (1951)
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
